1 / 25

Keyword Search and Oblivious Pseudo-Random Functions

Keyword Search and Oblivious Pseudo-Random Functions. Mike Freedman NYU Yuval Ishai, Benny Pinkas, Omer Reingold. X 1. X 2. X 3. X 4. …. X n. Background: Oblivious Transfer. Oblivious Transfer (OT) [R], 1-out-of-N [EGL]: Input: Server: x 1 ,x 2 ,…,x n Client: 1 ≤ j ≤ n Output:

connie
Download Presentation

Keyword Search and Oblivious Pseudo-Random Functions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Keyword Search and Oblivious Pseudo-Random Functions Mike Freedman NYU Yuval Ishai, Benny Pinkas, Omer Reingold

  2. X1 X2 X3 X4 … Xn Background: Oblivious Transfer • Oblivious Transfer (OT) [R], 1-out-of-N [EGL]: • Input: • Server: x1,x2,…,xn • Client: 1 ≤ j ≤ n • Output: • Server: nothing • Client: xj • Privacy: • Server learns nothing about j • Client learns nothing about xi for i ≠ j • 4 • Well-studied, good solutions: O(n) overhead j Xj

  3. Background: Private Information Retrieval (PIR) • Private Information Retrieval (PIR) [CGKS,KO] • Client hides which element retrieved • Client can learn more than a single xj • o(N) communication, O(N) computation • Symmetric Private Information Retrieval (SPIR) [GIKM,NP] • PIR in which client learns onlyxj • Hence, privacy for both client and server • “OT with sublinear communication”

  4. Motivation: Sometimes, OT is not enough • Bob (“Application Service Provider”) • Advises merchants on credit card fraud • Keeps list of fraudulent card numbers • Alice (“Merchant”) • Received a credit card, wants to check if fraudulent • Wants to hide credit-card details from Bob, vice-versa • Use OT? • Table of 1016 ≈ 253 entries, 1 if fraudulent, 0 otherwise?

  5. (x1,p1) (x2,p2) … (xn,pn ) Server: Client: w Client output: (xj ,pj ) iff w=xj Keyword Search (KS): definition • Input: • Server: database X={ (xi,pi ) } , 1 ≤ i ≤ N • xiis a keyword(e.g. number of a corrupt card) • pi is the payload(e.g. why card is corrupt) • Client:search wordw(e.g. credit card number) • Output: • Server: nothing • Client: • piif  i : xi = w • otherwise nothing

  6. Keyword Search from data structures? [KO,CGN] • Take any efficient query-able data structure • Hash table, search tree, trie, etc. • Replace direct query with OT / PIR • Achieves client privacy We’re done?

  7. Keyword Search from hashing + OT [KO] • Use hash function H tomap (xi,pi) to bin H(xi) • Client uses OT to read bin H(w) • Multiple per bin: no server privacy: client gets > 1 elt • One per bin, N bins: no server privacy: H leaks info • One per bin, >> N bins: not efficient

  8. Keyword Search • Variants • Multiple queries • Adaptive queries • Allowing setup • Malicious parties • Prior Work • OT + Hashing = KS without server privacy [KO] • Add server privacy using trie and many rounds [CGN] • Adaptive KS [OK] • But, setup with linear communication, RO model, one-more-RSA-inversion assumption

  9. Keyword Search: Results • Specific protocols for KS • One-time KS based on OPE (homomorphic encryption) • First 1-round KS with sublinear communication • Adaptive KS by generic reduction • Semi-private KS + oblivious PRFs • New notions and constructions of OPRFs • Fully-adaptive (DDH- or factoring-specific) • T-time adaptive (black-box use of OT)

  10. Keyword Search based on Oblivious Evaluation of Polynomials

  11. C S w P(x) = Σaixi P(w) Specific KS protocols using polynomials • Tool: Oblivious Polynomial Evaluation (OPE) [NP] • Privacy: Server: nothing about w. Client: nothing but P(w)

  12. 1-round KS protocol using polynomials • OPE implementation based on homomorphic encryption • Given E(x), E(y), can compute E(x+y), E(c·x), w/o secret key • Server defines on input X={(xi,pi )}, • Z(x) = r · P(x) + Q(x) , with fresh random r xi If xi  X : 0 + pi |0k If xi X : rand • Client/server run OPE of Z(w), overhead O(N) • C sends: E(w), E(w2), …, E(wd), PK • S returns: E(r·Σpi w i + Σqi w i ) = E(r·P(w) + Q(w)) = E(Z(w))

  13. Reducing the overhead using hashing… • Client sends input for L OPE’s of degree m • Server has E(Z1(w)), … ,E(ZL(w)) • Client uses PIR to obtain OPE output from bin H(w) • Comm: O(m = log N) + PIR overhead (polylog N) • Comp: O(N) server, O(m = log N) client publichash function Hm independentof X … L bins Z2 Z1 Fresh random r for Zj(x) = r · Pj(x) + Qj(x) m

  14. What about malicious parties? • Efficient 1 round protocol for non-adaptive KS • Only consider privacy: server need not commit or know DB • Similar relaxation used before in like contexts (PIR, OT) • Privacy against a malicious server? • Server only sees client’s interaction in an OT / PIR protocol • Malicious clients? • Message in OPE might not correspond to polynomial values • Can enforce correct behavior with about same overhead • 1 OPE of degree-m polynomials → m OPEs of linear poly’s

  15. Keyword Search based on Oblivious Evaluation of Pseudo-Random Functions

  16. Semi-Private Keyword Search • Goal: Obtain KS from semi-private KS + OPRF • Semi-Private Keyword Search (PERKY [CGN]) • Provides privacy for client but not for server • Similar privacy to that of PIR • Examples • Send database to client: O(N) communication • Hash-based solutions + PIR to obtain bin • Use any fancy data structure + PIR to query

  17. C S x k Fk(x) Oblivious Evaluation of Pseudo-Random Functions • Pseudo-Random Function: Fk : {0,1}n {0,1}n • Keyed by k (chooses a specific instantiation of F ) • Without k, the output of Fk cannot be distinguished from that of a random function • Oblivious evaluation of a PRF (OPRF) • Client: PRF output, nothing about k • Server: Nothing

  18. key, payload masked by PRF KS from Semi-Private KS + OPRF  (xi, pi )  X, Let x’i | p’i ← Fk(xi ) Let( xi, pi )← (x’i , pi  p’i) S chooses k, defining Fk(·) • Client • Uses OPRF to compute x’ | p’ ← Fk(w) • Uses semi-private KS to obtain ( xi, pi )where xi = x’ • If entry in database, recovers pi = pi p’

  19. key, payload masked by PRF KS from Semi-Private KS + OPRF  (xi, pi )  X, Let x’i | p’i ← Fk(xi ) Let( xi, pi )← (x’i , pi  p’i) S chooses k, defining Fk(·) • Security • Preserved even if client obtains all pseudo-database… • Requires that client can’t determine output of OPRF other than at inputs from legitimate queries

  20. Weaker OPRF definition suffices for KS • Strong OPRF: Secure 2PC of PRF functionality • No info leaked about key k for arbitrary fk, other than what follows from legitimate queries • Same OPRF on multiple inputs w/o losing server privacy • Relaxed OPRF: No info about outputs of random fk, other than what follows from legitimate queries • Does not preclude learning partial info about k • Query set size bounded by t for t-time OPRFs • Indistinguishability: Outputs on unqueried inputs cannot be distinguished from outputs of random function

  21. Other results: constructions of OPRF • OPRF based on non-black-box OT [Y,GMW] • OPRF based on specific assumptions [NP] • E.g., based on DDH or factoring • Fully adaptive • Quite efficient • OPRF based on black-box OT • Uses relaxed definition of OPRF • Good for up to t adaptive queries

  22. OPRF based on DDH [“scaled up” NP] • The Naor-Reingold PRF: • Key k = [ a1, …, aL ] • Input x = x1 x2 x3 … xL • Pseudorandom based on DDH • OPRF based on PRF + OT • Server: [ a1, …, aL ], [ r1, …, rL ] • Client: x = x1 x2 x3 … xL • L OT’s: ri if xi = 0, ai ri otherwise r1 a1r1 OT12 x1=0 r2 a2r2 OT12 x2=1 rL aLrL OT12 xL=1 g^(1 / r1r2…rL)

  23. Relaxed OPRF based on OT a0,2t • Server key: L x 2t matrix • Client input: x = { x1, x2, … , xL} • Client gets L keys using OT12t • After t calls, learns t Lkeys a0,0 aL,0 • Map inputs to locations in L-dimensions using a (t+2)-wise independent, secret mapping h • Client first obliviously computes h(x), then F(h(x)) • Learns t of 2t keys in L dimensions • Probability that other value uses these keys is (1/2)L

  24. Conclusions • Keyword search is an important tool • We show: • Efficient constructions based on OPE • Generic reduction to OPRF + semi-private KS • Fully-adaptive based on DDH • Black-box reduction via OT, yet only good for t invoc’s • Open problem: • Black-box reduction to OT good for poly invoc’s?

  25. Thanks….

More Related